What OPSEC? Member of “thedarkoverlord” allegedly used his personal details to set up hacking and extortion-related accounts.

In what seems like a mind-boggling OPSEC #FAIL, a U.K. man associated with thedarkoverlord allegedly used his real details to create bank accounts as well as to open email accounts, phone numbers, vpn, Twitter, and PayPal accounts that thedarkoverlord used as part of its operations to hack and extort victims. For a group that signed their pastes and extortion demands as a “Professional Adversary,” the revelations should be embarrassing, to say the least. But embarrassment may be the least of their problems. Now that Nathan Wyatt is in custody in the U.S. awaiting trial for his alleged role, will he roll on others to get himself a deal? In June, 2016, an individual or group calling themself “thedarkoverlord” (TDO) announced that they/he had hacked three patient databases and put them up for sale on a dark web marketplace. Since that time, this site has reported on TDO’s criminal activities dozens of times, but even the many hacks this site has covered represent only a small fraction of TDO’s actual criminal operations. The scope of their attacks often tends to get lost in mainstream media coverage that tends to only point out hacks involving Orange is the New Black, celebrity patients, or well-known corporations like Gorilla Glue. But TDO has hit numerous big and small businesses, school districts, universities, and big and small medical entities. And over the past few years, those of us who have watched them have seen them grow increasingly aggressive and violent in their imagery and threats. But then things seemed to suddenly stop. In early 2019, KickAss Forum shuttered. Without that forum to post their offerings and banned from most social media platforms they had been using to try to sell hacked files, TDO disappeared from public view. They haven’t responded to emails I have sent to their email account for journalists, and they didn’t re-emerge on New Year’s Eve with a major hack announcement as they have done in past years. So where’s TDO? Are they in custody or have they gone to ground because one of their alleged members, Nathan Wyatt, is now in U.S. custody awaiting trial? Have they continued hacking entities? Or are they just relaxing somewhere enjoying retirement? Significantly, perhaps, their disappearance from public view roughly corresponds with Wyatt losing his appeal of a ruling ordering his extradition to the U.S. Either way, for a criminal operation that often tried to portray itself as a polished and professional adversary, Nathan Wyatt is not a good look for them. Who is Wyatt? Nathan Francis Wyatt, 39, is an unemployed U.K. national who lives in Wellingborough with his fiancee, Kelly Howell, and some of their children. He and his fiancee live off the welfare benefits they receive from the government. Wyatt has acknowledged that he has supplemented those benefits with illegal online activities. Unless there’s some plea deal worked out, Wyatt will be tried in federal court in St. Louis for his alleged role in some of the early TDO hacks and extortion attempts in Missouri, Illinois, and Georgia. The indictment can be found here. Wyatt faces trial here on 6 counts: a single conspiracy charge, two counts of aggravated identity theft, and three counts of threatening damage to a computer. Although DOJ did not name the victim entities in their court filings, I have identified the victim entities (with one possible exception) based on DOJ’s descriptions, my previous detailed reporting on the breaches, and the fact that some of the evidence DOJ provides in the affidavit exactly matches files that had been given to me by TDO for those victims. Wyatt, whose online nicks include “Crafty Cockney,” “Hardcore,” and “Mas,” pleaded not guilty in his first appearance in federal court in December after losing his attempt to prevent extradition. OPSEC? What OPSEC? Anyone reading the affidavit supporting the government’s extradition request may understandably conclude that Wyatt should try try make a plea deal. There appears to be a tremendous amount of compelling evidence supporting the charges, although of course, those are just allegations that need to be proved in court. But then also remember that DOJ did not show all its evidence in the affidavit. They likely withheld what they consider to be other damning evidence that they will present at a later date or use to persuade Wyatt to plead guilty. Actually, if you read the affidavit, you may well wonder what on earth Wyatt could possibly have been thinking when he allegedly used his own personal details to open email, phone, PayPal, and bank accounts that were used for criminal purposes.* Did Wyatt’s alleged co-conspirators have any idea how casual and negligent he was about OPSEC or did they know what he was doing? From statements made to me by TDO in September 2016, they had no idea that “Crafty Cockney’s” real name was Nathan Wyatt and so when they saw the bank accounts he had set up, they did not know it was his real name and his fiancee’s real name and their real addresses. Whether TDO was telling me the truth in disclaiming any previous knowledge of Wyatt’s identity remains to be determined. Wyatt was no stranger to crime The current charges represent only a small part of Wyatt’s alleged criminal activity over the past 3 years.** Charges against him in 2016 for his role in selling hacked photos of Pippa Middleton were dropped and he never served any time for his role in that case. Those close to that situation believe that the charges were dropped to spare Middleton the stress of a court case and not for lack of evidence. Both The Sun and this blogger had quite a bit of evidence showing Wyatt’s involvement in the attempted sale of the photos. But while Wyatt seemed to have caught a break in the Pippa Middleton case, he wound up arrested again months later because in the process of investigating the Middleton matter, prosecutors found evidence of other crimes on his devices. As a result of their discovery and […]

Categories

Related Posts

Statement from Endeavor Energy Resources (via MRT): “Endeavor Energy Resources, L.P. (“Endeavor”), an oil and gas exploration and production company, discovered on Jan. 14 that earlier that day an unauthorized party, through a phishing scam, Read more…

On January 21 and January 31, this site reported on a ransomware attack by Maze Team on CrossroadsNet or Crossroads Technologies. It wasn’t even clear who was attacked, as one entity had no web site, Read more…